Instructions for

On this page

Configure Direct Authentication grant types

About the direct authentication

Use direct authentication when you want your application to directly authenticate users. For example, you don't want to delegate authentication to an IdP or authorization server using an HTTP redirect in a web browser. While delegating authentication is preferred, use direct authentication in situations where there's a high degree of trust between the user and your app.

Also, you can use direct authentication where usability constraints hinder the use of browser-based flows, such as mobile applications.


Grant-type flow

Enable authenticators for your org

Direct authentication grant type flows use passwordless authentication, such as using Okta Verify, SMS, or signing in with email. To use the direct authentication

flow, you must enable a non-password authenticator like

  1. Open the Admin Console for your org.
  2. Go to Security > Authenticators to view the available authenticators.
  3. Do the following if
    isn't in the list:
    • Click Add authenticator.
    • Click Add on the authenticator tile, and then click Add in the next dialog.
    • Verify the status of the authenticator.
      • Select the Enrollment tab.
      • Identify the authenticator and verify that the authenticator is set to either Optional or Required in the Eligible authenticators section of the Default Policy.
    • If the authenticator is set to Disabled, enable the authenticator.
      • Click Edit for the Default Policy.
      • Select Optional from the dropdown box for the authenticator.
      • Click Update Policy.

Set up your authorization server

To use the

flow, both your client app and the Okta authorization server used with the app must have the
grant type enabled.

If your Okta org uses Identity Engine, then the

grant type is automatically configured in your org authorization server. For custom authorization servers used with your app, you must enable

  1. In the Admin Console, go to Security > API.

  2. On the Authorization Servers tab, click the pencil icon next to the authorization server that you want to use.

  3. Select the Access Policies tab.

  4. Click the pencil icon from the Actions column for the Default Policy Rule to access the Edit Rule dialog.

    Note: If you're using a different policy for your app, edit that policy instead.

  5. Click Advanced in the IF Grant type is section.

  6. Select

    in the Okta direct auth API grants section (in addition to any other grant type that is already supported).

  7. Click Update Rule.

Set up your app

Before you can implement authorization, you need to register your app in Okta by creating an app integration from the Admin Console.

Note: When you create or update an app, you must have super admin permissions to enable direct authentication grant types.

  1. Open the Admin Console for your org.
  2. Select Applications > Applications to view the current app integrations.
  3. Click Create App Integration.
  4. Select
    as the Sign-in method.
  5. Select Native Application as the Application type, then click Next.
  6. Specify the App integration name.
  7. Click Advanced in the Grant type section and select the
    in addition to the defaults.
  8. Select Allow everyone in your organization to access, then click Save.
  9. From the General tab of your app integration, copy and save the generated Client ID value to implement your authorization flow.

Set up the authentication policy

In direct authentication flows, the client specifies a grant type that indicates the type of authenticator being used. However, the server can't grant a token until the client’s authentication policy is satisfied.

Note: This example creates a new app authentication policy with a

for testing purposes.

  1. Go to your app’s Sign On tab, scroll to the bottom, and click View policy details.
  2. Click Actions on the right of the Default Policy title and select Clone policy.
  3. Click Actions again and select Edit name and description.
  4. Name the policy (for example,
    ) and click Save.
  5. Click Add a rule, name it (for example,
  6. Specify your test user for AND User is.
  7. Skip down to AND User must authenticate with and select
    , and then click Save.
  8. Open the application that you just created and select the Sign On tab.
  9. Scroll to the User authentication section at the bottom and click Edit.
  10. Select the authentication policy that you just created and click Save.

Flow specifics

Next steps